Add docs for applying CORS to SignalR hubs without global middleware (#36936)

Copilot · wadepickett · web-flow · commit bdd837c5cfdf · 2026-04-01T12:10:56.000-07:00
* Initial plan * Add content about enabling CORS for SignalR without applying the policy globally Add a new subsection "Apply a CORS policy to SignalR hub endpoints" under the CORS section in SignalR security docs. Documents two approaches: 1. Using RequireCors on the MapHub endpoint mapping 2. Using the [EnableCors] attribute on the Hub class Applied across all relevant moniker versions (8.0+, 7.0, 6.0, 3.0-5.x). Agent-Logs-Url: https://github.com/dotnet/AspNetCore.Docs/sessions/c6bf092e-343b-49ad-bfa1-e83078d9e265 Co-authored-by: wadepickett <10985336+wadepickett@users.noreply.github.com> * Add named CORS policy registration example to SignalR hub CORS subsection Show the AddCors/AddPolicy snippet that defines "SignalRPolicy" before it's referenced in the RequireCors and [EnableCors] examples. Agent-Logs-Url: https://github.com/dotnet/AspNetCore.Docs/sessions/eeaca9de-513b-4a43-a838-4e3f6ca91450 Co-authored-by: wadepickett <10985336+wadepickett@users.noreply.github.com> * Add author information to security.md * Apply suggestion from @wadepickett * Apply suggestions from code review Co-authored-by: Wade Pickett <wpickett@microsoft.com> * Apply suggestions from code review Co-authored-by: Wade Pickett <wpickett@microsoft.com> * Revert changes to security2.1-5.md, security6.md, and security7.md Per BrennanConroy's feedback, these are unsupported versions and don't need the CORS documentation update. The new CORS subsection is retained only in security.md (aspnetcore 8.0+). Agent-Logs-Url: https://github.com/dotnet/AspNetCore.Docs/sessions/c741589c-d9d2-40d2-ad8e-14eed4304350 Co-authored-by: wadepickett <10985336+wadepickett@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: wadepickett <10985336+wadepickett@users.noreply.github.com> Co-authored-by: Wade Pickett <wpickett@microsoft.com>
diff --git a/aspnetcore/signalr/security.md b/aspnetcore/signalr/security.md
@@ -1,13 +1,15 @@
 ---
 title: Security considerations in ASP.NET Core SignalR
+ai-usage: ai-assisted
 author: wadepickett
 description: Learn about security in ASP.NET Core SignalR.
 monikerRange: '>= aspnetcore-2.1'
 ms.author: wpickett
 ms.custom: mvc
-ms.date: 02/20/2024
+ms.date: 03/31/2026
 uid: signalr/security
 ---
+
 # Security considerations in ASP.NET Core SignalR
 
 By [Andrew Stanton-Nurse](https://twitter.com/anurse)
@@ -39,6 +41,44 @@ For example, the following highlighted CORS policy allows a SignalR browser clie
 
 In the previous example, the CORS policy is customized to allow specific origins, methods, and credentials. For more information on customizing CORS policies and middleware in ASP.NET Core, see [CORS middleware: CORS with named policy and middleware](xref:security/cors#cors-with-named-policy-and-middleware).
 
+### Apply a CORS policy to SignalR hub endpoints
+
+Instead of applying a CORS policy globally with the `UseCors` middleware, you can apply CORS specifically to SignalR hub endpoints. This approach allows different CORS policies for different parts of the app.
+
+There are two ways to apply a CORS policy to SignalR hubs: chaining `RequireCors` on the endpoint mapping, or adding the `[EnableCors]` attribute to the Hub class. Both approaches require a named CORS policy to be registered in the service configuration. The following example defines a policy named `"SignalRPolicy"`:
+
+```csharp
+builder.Services.AddCors(options =>
+{
+    options.AddPolicy("SignalRPolicy", policy =>
+    {
+        policy.WithOrigins("https://example.com")
+            .AllowAnyHeader()
+            .WithMethods("GET", "POST")
+            .AllowCredentials();
+    });
+});
+```
+
+**Apply the CORS policy on the hub endpoint mapping** by chaining <xref:Microsoft.AspNetCore.Builder.CorsEndpointConventionBuilderExtensions.RequireCors%2A> on the `MapHub` call:
+
+```csharp
+app.MapHub<ChatHub>("/chatHub")
+    .RequireCors("SignalRPolicy");
+```
+
+**Apply the CORS policy on the Hub class** by adding the [`[EnableCors]`](xref:Microsoft.AspNetCore.Cors.EnableCorsAttribute) attribute:
+
+```csharp
+[EnableCors("SignalRPolicy")]
+public class ChatHub : Hub
+{
+    // ...
+}
+```
+
+For more information on enabling CORS with endpoint routing, see [Enable CORS with endpoint routing](xref:security/cors#enable-cors-with-endpoint-routing).
+
 ## WebSocket Origin Restriction
 
 The protections provided by CORS don't apply to WebSockets. For origin restriction on WebSockets, read [WebSockets origin restriction](xref:fundamentals/websockets#websocket-origin-restriction).
